North American Technology Group 


Using Qualys in a 
Retail / eCommerce Environment 


* Architect/Manager of Network & Security for Systemax North 
American Technology Group. Many of you know of us as Tiger Direct. 


* 10+ years experience Network & Security. 

* A+, Network+, Linux+, MCSE (МТ4), MCSA (2003), VCP 
*CCNA Networking & Wireless & Security 

СЕН & ECSA 
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*Our Environment 


We don't want to worry about 
scanning only when there's network 
changes, but rather we scan ALL the 

time. 


We like for the scan results to be up 
to date for the custodians and 
Executive Management. 


Program 


We want to make sure that we scan If a scan fails, we don't have to 
on different days & times, so we worry because scan has an 
find systems that may not always be automatic make-up day configured, 
turned on. and is scanned at least 2 times 


“VM Program Objectives 


We broke up our sites 
into Asset Groups by 


Country/State & 
Function. 


We then took the 15 
month running 
multiple different 
scans with different 
settings for all sites. 


We used this data as 
our baseline to come 
up with the best scan 
schedule, to support 
our requirements of 
having many scans 
happening on a 
reoccurring basis 


Having a good Scan 
schedule also 
minimizes the need 
for adhoc scans, since 
the scan results are 
constantly being 
updated. 


“Building the Program 


Some appliances are situated on the network with many VLAN tags, so scanning 
occurs on local subnet, and doesn't traverse a firewall/IPS. 


ALL sites are scanned at least 2 times per week on a reoccurring schedule. 


All scans are configured with a make-up day, so if the scan doesn't complete in 
it's allotted time, scan is paused, and automatically resumed on another day. 


*Scanner Placement 


> > & 


Edit Scheduled Vulnerability Scan Launch Help х 


Task Title › Previous Duratio: 
Scheduling vious D 


Target Hosts 


Start Nov 21,2013 ПТ" 1230 
(GMT+0530) India: Mumbai, New Delhi, Bangalor + DST 


Duration: Г)! Pause + \айег! 01 % hours 
Resume Days: Manually 


Occurs: Daily 
1 days 


Г) Ends after 


*Scan Schedule Options 


Screenshot 


((QuAwysGUARD'ENTERPRISE SUITE 
Vulnerability Management v EM Неру | Logout 


Dashboard Scans Reports Remediation Assets KnowledgeBase Users 


Scans Scans Марз Schedules Арріапсезѕ © Option Profiles Authentication  SearchLists ешр 


(Now у || soaren | | Fors у 4 4-6of6 


o“ = 


L Q Type де a Targets Scanner Assigned User Next Launch Previous Duration 
о е [С | NetSec-Naperville175 AssetTags Included — TD-CORP-QCORP-1 Julio Delgado 02/25/2014 at 01:15:00 (GMT-0500) 01:34:47 
о е “i Office-Miami-A AssetTagsIncluded — TD-CORP-QCORP-1 Julio Delgado 02/25/2014 at 10:00:00 (GMT-0500) 01:39:21 
m] | Gi Office-Miami-B AssetTags Included TD-CORP-QCORP-1 Julio Delgado 02/25/2014 at 20:00:00 (GMT-0500) 01:35:29 
U е Gi Servers-Atlanta AssetTags Included  TD-ATL-Q1 Julio Delgado 02/25/2014 at 23:00:00 (GMT-0500) 01:44:45 
Г) e С | Servers-MiamiCorp AssetTagsIncluded TD-CORP-QCORP-1 Julio Delgado 02/25/2014 at 23:00:00 (GMT-0500) 00:20:36 
B % (4 Servers-Naperville175 AssetTags Included ТО-МАРЕК-01 Julio Delgado 02/25/2014 at 23:00:00 (GMT-0500) 02:06:30 
о X С | Stores-Canada AssetTags Included — TD-NAP-OMPLS-3 Julio Delgado 03/01/2014 at 11:00:00 (GMT-0500) 03:32:45 
S. (4 Stores-Delaware AssetTags Included — TD-NAP-QMPLS-2 Julio Delgado 03/01/2014 at 11:00:00 (GMT-0500) 00:59:56 
Ü [ ] [С | Stores-Florida AssetTags Included — TD-NAP-OMPLS-1 Julio Delgado 03/01/2014 at 15:00:00 (GMT-0500) 01:55:54 
О в С | Stores-Georgia AssetTags Included ТО-МАР-ОМРІ8-1 Julio Delgado 03/01/2014 at 13:00:00 (GMT-0500) 00:21:20 


*Scan Schedule 


Screenshot 


((QUAIYSGUARD'ENTERPRISE SUITE 


Vulnerability Management v 17121 Неру | Logout 


Dashboard Scans Reports Remediation Assets KnowledgeBase Users 


Scans Scans Maps Schedules Appliances Option Profiles Authentication Search Lists Setup 


| Add to my Calendar Е = 

4 February 2014 + › February 25, 2014 
5 M | AC Mn F 8 Today 4 ЕЗ › 
26 27 28 29 30 31 1 
2345 67 8 ‘Tuesday, February 25, 2014 — Today 10:09 am 
9 10 11 12 13 14 15 
16 17 18 19 20 21 22 = = 

1am фоат DC-Miami-NapAg) 
23 24 125 26 27 28 1 = 01:15am DC-Miami-NapCore 01:15am NetSec-Napervilie175 
2 3 4 7 8 
Show Calendars == 
М [vu scans 3am 

03:15am NetSec-ANarta 

М [wap scans 03:30am NetSec-DC 
М [compliance Scans 4am 
М [webapp scans 

5am 

05:15am NetSec-MPLS 

бат 

7ат 

Bam 

9am 

10am l" Oam Отсе-Мїатї-А l" (Qam wWarenoute-Atanta-A 


“Scan Calendar 


Screenshot 


* Identify all subnets where DHCP is primarily used. For 
example, Workstation subnets, VOIP Phone subnets, VDI 
Subnets, etc... 


* Switch Host Tracking for those subnets from IP tracking to 
NetBIOS or DNS tracking. 

* You may need to purge scan data for hosts with wrong IP 
scanned prior to the Host Tracking change. 


“Now when hosts are scanned in the subnets you identified, 
their data will be saved under their NetBIOS or DNS name, 
and not their IP. 


“So if Workstation A, gets different IP’s from DHCP, the scan 
results will reported for Workstation A one time, regardless 
of IP it got from DHCP 


* Challenge of Fighting DHCP 


x ; * Enable the Remediation Module, 
Qualys is scanning. for tickets to start being created 


* Vulnerabilities are being for each vulnerability 
found. discovered. 
x * Create a Remediation Policy that 
x , you require vulnerabilities to be 
There's a ton of мү Noj 


Vulnerabilities, and more are 


* 
| | j F le: 
being discovered with every or example 


* Internal Hosts 


am, * Severity 5 = 7 days 
* How do you get things under * Severity 3 & 4 = 30 Days 
control? * Severity 1 & 2 - 90 Days 


* External Hosts 
* Severity 3 & 4 & 5 = 7 Days 
* Severity 1 & 2 - 30 Days 


“Challenge of Remediation of 
Vulnerabilities... 


‘= Remediation Tickets 


м |New м. | Search 1-500f50 
. Order . Title Assign To Deadline 
26 Internal-NetSeo-Severityi Ей Julio Delgado 7 days 
27 Interma--NetSec-Seventy3-4 Julio Delgado 30 days 
28 Internal-NetSeo-Severity1-2 Julio Delgado 90 days 


“Remediation Deadlines 


Screenshot - Section 


Dashboard Scans Reports 


‘= Remediation tickets Policies 


v | New м. | Search 


Q (Order... Tithe 


32 internal-HelpDesk-Severityŝ 
33 nternal-HelpDesk-Severity2-4 
34 internal-HelpDesk-Severity1-2 
| 35 nterna-Telecom-SeverityS 
) 36 Interna--Teiecom-Seventy 2-4 
37 nternal-Telecom-Severity 1-2 
38 Internal-POS-Severity5 
| 39 nternal-POS-Severity3-4 
j| 40 Internal-POS-Severity1-2 
4 nternal-Warehouse-Severity5 
) 42 Internal-Warehouse-Severity3-4 
43 nternal-Warehouse-Severity 1-2 
) 44 Internal-Servers-Severity5 
45 nternal-Servers-Severity3-4 
42 Internal-Servers-Severity 1-2 


Remediation 


Assets KnowledgeBase 


Assign To 

Peter Goldwasser 
Peter Goldwasser 
Peter Goldwasser 
Henry Rey 

Henry Rey 

Henry Rey 
Christopher Fowler 
Christopher Fowler 
Christopher Fowler 
Greg Wiltse 

Greg Wiltse 

Greg Wiltse 

Peter Amato 

Peter Amato 


Peter Amato 


User: 


1-50050 
Deadline 
7 days 
30 days 
90 days 
7 days 
30 days 
90 days 
7 days 
30 days 
90 days 
7 days 
30 days 
90 days 
7 days 
30 days 
90 days 


“Tickets Assigned to Team Leads 


Screenshot - Section 


* Not all vulnerabilities can be 
solved. 


* Some vulnerabilities are false 
positives. 


* Some vulnerabilities are 
Acceptable Risks. 


* Some vulnerabilities have no 
fixes. 


* How do you create an Exception, 
so that reporting takes that into 
account? 


* Using the Remediation Policies, create 
Exception Rules. 


* Note: Remediation Policy Rules are read from 
top to bottom, first rule that matches, wins. 


* Create an internal ticket in your company's 
ticketing system. Document details of 
Exception. Obtain approvals. Attach any 
vendor case notes or advisories. 


* Reference the internal ticket # in your Qualys 
Remediation Policy rule, and configure 
Exception accordingly. Also put a short note of 
False Positive; or No Fix; or Acceptable Risk. 

* For details, they can read internal company 
ticket. 

* If you need to update existing vulnerability 


tickets, use the GUI, and it's many tickets, you 
powershell script previous referenced. 


“Challenge of Exceptions... 


*= Remediation Tickets Policies Setup 


New м. | Search 
Order . Title Assign To 
17 Exceptions-FalsePositiv eR 2047 User Running Scan 
18 Exceptons-FalsePos c am: £4 User Running Scan 
19 Exceptions-AcceptableRisk Қыс User Running Scan 
20 Exceptions-AcceptsbieR is Й 2041 User Running Scan 


‘= Remediation Tickets Policies Setup 


| New w | Search 
Order . Title Assign To 
10 Exceptions-NoF o В 2:222 User Running Scan 
11 Exceptons-Nor» OK User Running Scan 
12 Exceptions-F alseFositive-MIMWB 5555 User Running Scan 
13 Exceptons-FaisePositve- e 6904" User Running Scan 


“Remediation Exceptions 


Screenshot 


(QuawssGUARD'ENTI RPRISE SUITE 


Vulnerability Management x 


Dashboard Scans Reports Remediation 


12 Кетейїайоп “тске Policies 


v New м Search 
Order „ Title 
24 Exceptions-AcceptableRiskdiiiià 93738 
25 Ехсеріїопз-АссерізоіеКіз кема 195034 
26 nternal-NetSec-Severity5 
27 Internal-NetSec-Severity3-4 
2) 28 nternal-NetSec-Severity1-2 
29 ntemal-Au diio tures -Severit;5 
30 nternal-Auxadĝantures-Severity3-4 
31 nternal-AuxiMfgnture s-Severity1-2 
32 Internal-HelpDesk-Severity5 
33 nternal-HelpDesk-Severity3-4 
34 nternal-HelpDesk-Severity1-2 


Setup 


Assets KnowledgeBase Users 


Assign To 


ЕЙ User Running Scan 


User Running Scan 


Julio Cea. 
Julio mn 


Julio 
Joseph gae 
Joseph m 
Joseph e 
Peter agnam. 


Peter AENEID 
Peter ze 


Deadline 


None 

None 

7 days 
30 days 
90 days 
7 days 
30 days 
90 days 
7 days 
30 days 


90 days 


*Remediation 


Нер м | Logout 


1-500150 Ў У 
Modified 


01/22/2014 
01/29/2014 
04/09/2013 
04/09/2013 
04/09/2013 
10/17/2013 
10/17/2013 
10/17/2013 
10/17/2013 
10/17/2013 


10/17/2013 


Policy 


Screenshot 


Total Tickets by Severity Level 


Severity | #ofTickets | Open | Resolved | Closed | Avg. Resolution | Overdue 
5 56347 13730 0 42617 35.3 days 5652 
4 67243 14235 0 53008 40.3 days 6974 
3 81894 32264 0 49630 47.3 days 20649 
2 43995 14496 0 29499 N/A 6818 
1 6902 5288 0 1614 60.2 days 3117 
Totals: 256381 80013 0 176368 41.8 43210 

Name | #ofTickets | Open | Resolved | Closed | Avg.Resolution | Overdue 

Peter ie 87990 37232 0 50758 N/A 29536 

Peter oli 118483 33562 0 84921 er 7632 

Julio URN! 33276 4664 0 28612 517 4115 

Henry “ipe 2298 2051 0 247 N/A T8 

Joseph В 2034 1749 0 285 N/A 1641 

Greg qa 2220 697 0 1523 N/A 166 


“Tickets Per User Report 


Screenshot 


Group 

GlobalMWi- Workstations 
Global-MAB-WorkstationsIT 
Global-CorpNaperATL-ScannerGuns 
Global-MPLS-WirelessAPs 
Global-MPLS-Servers20 
Global-MPLS-NetSecMgmt 
Globai-Nii9Ó Telecom 


| &ofTickets | Open | Resolved | Closed | Avg.Resolution | Overdue 


3900 962 0 2938 N/A 405 
2624 955 0 1669 N/A 614 
2426 697 0 1729 N/A 166 
1060 662 0 398 N/A 658 
2242 645 0 1597 N/A 133 
860 398 0 462 N/A 329 
918 339 0 579 N/A 36 


“Tickets Per Asset Group 


Screenshot 


“| don't have the answers for everything, but would be glad to 
share whatever knowledge | do have. 


“If we don’t get to talk, feel free to email me at 
Julio.Delgado@syx.com. Or my personal email of 
tekdj1@gmail.com 


“QGA 


